A hacker can exploit this vulnerability to execute arbitrary SQL commands with the privileges of the user that installed the application. In a highly critical scenario, it may be possible to takeover the system. To protect against SQL injection, the application should validate input before using it in a query. In the case of Open Source SACCO Management System, the id parameter was not validated, which allowed remote attackers to execute arbitrary SQL commands. The following example shows how to exploit this vulnerability. 1. Install and configure the application on a server. 2. Create a user account with limited privileges and authority. 3. Navigate to /sacco_shield/ajax.php?action=delete_payment. 4. Type the following code into the “POST” box and press “Submit”: “flush(‘device_name’)” In the preceding example, “flush” is an arbitrary SQL command that will be executed with the privileges of the user that installed the application. This is a critical vulnerability since it can be used to takeover the system. SANS recommends that application developers review their applications for SQL injection flaws, and that users consider limiting user accounts to only those that absolutely require the access.

SQL Injection (CWE-352)

SQL Injection is a vulnerability that occurs when an application does not validate input or uses unsafe input validation methods. This can be used to execute arbitrary SQL commands with the privileges of the user that installed the application. To protect against SQL injection, the application should validate input before using it in a query.
CVE-2022-41515 is a vulnerability in Open Source SACCO Management System that allows remote attackers to execute arbitrary SQL commands on vulnerable installations by submitting an id parameter without validation.

Vulnerability Discovery and Attribution

A vulnerability was discovered in Open Source SACCO Management System and is tracked as CVE-2022-41515. This vulnerability allows a remote attacker to execute arbitrary SQL commands with the privileges of the user that installed the application. The following example shows how to exploit this vulnerability.
1. Install and configure the application on a server. 2. Create a user account with limited privileges and authority. 3. Navigate to /sacco_shield/ajax.php?action=delete_payment 4. Type the following code into the “POST” box and press “Submit”: “flush(‘device_name’)” In the preceding example, “flush” is an arbitrary SQL command that will be executed with the privileges of the user that installed the application, which is a critical vulnerability since it can be used to takeover the system.

SQL Injection Attack

SQL injection is one of the most common vulnerabilities that affect software applications. Injection flaws are a significant threat to every application. As hackers become more skilled and creative, vulnerabilities like SQL injection can be easily exploited.
The Open Source SACCO Management System is vulnerable to SQL injection, as demonstrated in the following screenshot:

SQL injection vulnerability example

A hacker can exploit this vulnerability to execute arbitrary SQL commands with the privileges of the user that installed the application. This is a critical vulnerability since it allows remote attackers to takeover the system by executing arbitrary SQL commands. In this scenario, an attacker could create a user account and give them limited privilege, then access /sacco_shield/ajax.php?action=delete_payment where they type “flush(‘device_name’)” which will be executed with the privileges of the account created in step 2.

SQL Injection - Example

The Open Source SACCO Management System was vulnerable to the SQL injection flaw CVE-2022-41515. This vulnerability can be exploited by an attacker that has access to the Web management interface. In order to exploit this vulnerability, the user must first install and configure the application on a server. Next, create a user with limited privileges and authority. The following example shows how to exploit this vulnerability:
1. Install and configure the application on a server. 2. Create a user account with limited privileges and authority. 3. Navigate to /sacco_shield/ajax.php?action=delete_payment 4. Type the following code into the “POST” box and press “Submit”: "flush(‘device_name’)"
In this example, “flush” is an arbitrary SQL command that will be executed with the privileges of the user that installed the application

Timeline

Published on: 10/07/2022 18:15:00 UTC
Last modified on: 10/10/2022 02:31:00 UTC

References